[00:00.000 --> 00:07.520]  Thank you. Hello everyone, this is Can from Istanbul, Turkey and I am at Starcon today
[00:07.520 --> 00:12.180]  and we will be talking about the playing with electricity and red teaming in power distribution
[00:12.180 --> 00:19.180]  companies or hacking in the power distribution companies. Before getting started, I would like
[00:19.180 --> 00:24.320]  to thank the ICS village team having us. It's really great opportunity to meet you all.
[00:24.440 --> 00:29.220]  We really like to be part of the community activities all over the world. We also some
[00:29.220 --> 00:36.000]  community activities in Turkey as well. So it's really great to be meeting you all over here.
[00:36.220 --> 00:43.760]  Basically, we have one hour with you and basically we have three parts of our presentation.
[00:44.620 --> 00:50.900]  The first part is overview. We will make a brief information, give a brief information
[00:50.900 --> 00:58.020]  about the electricity architecture and power distribution company architecture and give you
[00:58.020 --> 01:04.040]  scale application architecture upon it. And then we will discuss red teaming scenarios.
[01:04.040 --> 01:08.700]  And then we will perform some attacks on our simulation lab.
[01:09.780 --> 01:16.840]  Actually, thanks to Starcon, our simulation lab had some nerve issues. We changed our
[01:17.620 --> 01:24.300]  hardware like four times last three days. But it worked at the end of the day and we
[01:24.300 --> 01:32.000]  deleted videos for this presentation to avoid any problems. So we will have some
[01:32.540 --> 01:42.100]  videos and we will talk upon it. All right, so let's do it. Starcon, please go ahead and introduce
[01:42.100 --> 01:48.320]  yourself, please. Thank you, Can. First of all, good afternoon for the American side spectator
[01:48.320 --> 01:53.610]  and maybe good night or good evening for the European and Asian side spectator.
[01:53.610 --> 01:58.710]  First of all, I'd like to thank you for giving us the opportunity in this beautiful organization
[01:58.710 --> 02:08.270]  and I'd like to express my pleasure being there. Now I will give information about myself. I am
[02:08.270 --> 02:14.010]  Serkan Temel. I am an electric and electronic engineer. I have seven years experience about
[02:14.010 --> 02:19.910]  industrial control systems, SCADA systems, based on electric distribution, transmission,
[02:19.910 --> 02:25.510]  power generation. For the last one year of my career, I'm focused on the cyber security
[02:25.510 --> 02:30.130]  in SCADA systems and also focused on the industrial control system cyber security
[02:30.130 --> 02:37.070]  topics. Thank you, Can. We can go on now. Presentation. I am also an electric and electronic
[02:37.070 --> 02:42.770]  engineer and I have more than eight years cyber security background. And last five years,
[02:42.770 --> 02:49.750]  I mostly concentrated on critical infrastructure and I say SCADA cyber security. At the moment,
[02:49.750 --> 02:57.450]  we're both working cyber wise for critical infrastructure cyber security at the moment.
[02:57.450 --> 03:03.410]  And today, as we mentioned, we will discuss electric subsector and power distribution,
[03:03.410 --> 03:10.430]  red teaming, and cyber security. All right. We want to start with why electric matters, actually.
[03:13.030 --> 03:19.010]  It's not just for us, but for the rest of the world. It's the backbone of all critical
[03:19.010 --> 03:27.370]  infrastructure. When it fails, it directly affects the daily life or modern life fundamentals.
[03:27.370 --> 03:35.010]  For example, it affects health sector, transport sector, transportation, and finance sector,
[03:35.010 --> 03:42.190]  and so on. So, once it fails, it directly affects people and public safety and it's
[03:42.190 --> 03:51.250]  really backbone of the critical infrastructure. So, we want to take that part and we wanted to
[03:51.250 --> 03:58.570]  build a presentation on it. So, we will be discussing about the red teaming in power
[03:58.570 --> 04:03.350]  distribution companies, but before it, we need to understand the electricity architecture in process
[04:03.350 --> 04:10.050]  wise. Basically, it has three parts. We have power generation, we have transmission lines,
[04:10.050 --> 04:16.270]  and then we have a power distribution part. Most of the time, power plants and power generation
[04:16.270 --> 04:24.610]  locate in the out-of-city centers. That means we need to carry electricity a long way of kilometers.
[04:24.610 --> 04:30.350]  It means we require the transmission lines. And finally, that means we need to power up-down
[04:30.350 --> 04:37.210]  operations. Once we are over from the transmission lines, we came up to the power distribution.
[04:37.210 --> 04:44.550]  It is the last line of the customer touch. I mean, if something fails in power distribution part,
[04:44.550 --> 04:51.910]  it directly affects customer and our business. To be honest, the distribution companies and
[04:51.910 --> 04:58.110]  electricity distribution process is not too much complicated when we compare it to power plants
[04:58.790 --> 05:05.330]  or petrochemical industry. So, it is easy to attack and also it is easy to defend.
[05:06.210 --> 05:10.010]  Serkan, would you like to add something? Yes, I would like to add some points in that
[05:10.010 --> 05:16.930]  presentation. Today, we tell you distribution, electric distribution, but I would like to
[05:17.590 --> 05:24.270]  be aware of this point. Transmission layer is a critical part of the electricity architecture
[05:24.270 --> 05:31.010]  because it's a bridge between power generation and power distribution. And it's the backbone
[05:31.010 --> 05:35.890]  of the electricity architecture. Today's topics are distribution, electricity, but
[05:36.450 --> 05:41.570]  transmission is very, very critical in the cybersecurity perspective. And actually,
[05:41.570 --> 05:47.230]  it depends over the countries or over the regions. Sometimes, it's operated by the government.
[05:47.230 --> 05:52.030]  Sometimes, it's operated by the private companies. It really depends on the region and
[05:52.710 --> 05:59.930]  country's perspective. But I will agree with you that this transmission line is also the core of
[05:59.930 --> 06:07.150]  electricity architecture. Thank you. So, let's deep dive into the power or electricity distribution
[06:07.150 --> 06:13.050]  infrastructure. First of all, it's a really great example of the SCADA because you have the people,
[06:13.050 --> 06:19.850]  which means the supervisory element of the SCADA, and you have remote locations. As you can see on
[06:19.850 --> 06:25.390]  the screen, there are lots of different substations connected via different types of communication
[06:26.110 --> 06:32.810]  medias to do your control center or emergency control center. So, what we said, it's a great
[06:32.810 --> 06:40.150]  example of the SCADA application because you get data from all over the different remotely located
[06:40.150 --> 06:47.570]  substation. And sometimes, you control over the remote substations. So, on the other hand,
[06:47.570 --> 06:53.490]  you have remote offices like payment offices, headquarters, government agencies to report for,
[06:53.490 --> 07:00.630]  you have direct integration. For example, in Turkey, Renewable Power Plant has to report the
[07:02.030 --> 07:06.750]  nearest power distribution company for the regulation.
[07:07.970 --> 07:14.370]  Basically, what we can say, there are lots of remote locations we have that we need to control,
[07:14.370 --> 07:20.070]  and that means we need different types of communication media. In distribution companies,
[07:20.070 --> 07:26.350]  we really need to take care of the communication media security as a part of the defense
[07:27.030 --> 07:33.770]  mechanism. On the other hand, sometimes, some companies or some governments or some
[07:33.770 --> 07:39.210]  countries have a smart meter application, which means smart meters have direct effective
[07:39.210 --> 07:47.370]  electricity. They open and close the electricity via metering control center through the smart
[07:47.370 --> 07:54.930]  meters. Why I'm telling you this, because it will affect our readiness scenarios and
[07:54.930 --> 08:02.050]  understanding the infrastructure. What we need to understand from this slide, we need lots of
[08:02.050 --> 08:07.430]  high level of connectivity, there are different types of communication media, and we have lots
[08:07.430 --> 08:13.010]  of different types of substation and equipments. And the rest of it, we have lots of different
[08:13.010 --> 08:26.970]  types of integration. All right, I will give a brief information and pass to the second stage.
[08:27.430 --> 08:31.870]  We discussed about the electricity architecture, and then we discussed about the power
[08:31.870 --> 08:38.670]  distribution architecture. Now, we will discuss about the SCADA architecture. It's also distributed
[08:38.670 --> 08:45.390]  in the server side. But before jumping into it, we need to understand there is a need of a high
[08:45.390 --> 08:52.130]  level of connectivity in such a power distribution company. Sometimes, you need to connect the
[08:52.130 --> 08:57.450]  outage management system, ERP application, call center, and so on. Maybe, Serkan, give
[08:57.450 --> 09:04.770]  some example about that. Yes, we mentioned about the previous presentation that we said
[09:04.770 --> 09:13.300]  that the distribution touches the customers. So, this means that in the distribution company,
[09:13.690 --> 09:23.030]  so many customers work into them, like customers management, outage management, VFMs,
[09:23.030 --> 09:31.550]  other stuff, so many stuff for the customers. The reason of that, the distribution SCADA systems
[09:31.550 --> 09:39.690]  must be and have to be integrated IT software applications, like Can mentioned, that's OMS.
[09:39.690 --> 09:49.010]  OMS, like VFM, like the other companies' third-party softwares. Because of that,
[09:49.390 --> 09:55.070]  distribution SCADA systems are a little different from the transmission and power generation SCADA
[09:55.070 --> 10:04.120]  systems. And also, in the distribution network, so many substations. This means that so many data,
[10:04.310 --> 10:12.650]  so many connection stations. So, we need the power of SCADA systems. We have to separate
[10:13.460 --> 10:19.930]  this load to separate servers, like application server, like communication server, like data server,
[10:19.930 --> 10:26.930]  like backup server, and so on, like HMI server. So, distribution SCADA systems are a little bit
[10:27.210 --> 10:34.630]  distributed and separated structure. It's very similar to IT environment, actually. You have
[10:34.630 --> 10:40.370]  some type of application servers, communication servers. It does some kind of load balancing,
[10:40.370 --> 10:46.790]  and it requires really great integration of an IT application or business application. Sometimes,
[10:46.790 --> 10:52.090]  part of SCADA applications, like we call outage management system or call centers,
[10:52.090 --> 10:57.150]  they are directly talking or integrating with our SCADA application. Because once you have
[10:58.370 --> 11:03.870]  a blackout or a kind of blackout or shut down electricity, you will get some calls, you will
[11:03.870 --> 11:09.890]  need to reach out your customers, you need to get some data from SCADA. So, it's really integrated
[11:09.890 --> 11:15.610]  with IT applications, sometimes cloud applications. And on the other hand, you have untrusted parties
[11:15.610 --> 11:21.590]  like vendors, remote offices, other type of control centers or government agencies. So,
[11:21.590 --> 11:27.310]  sometimes it's done via firewall, sometimes directly connected to your initial equipments.
[11:27.310 --> 11:32.730]  It really depends on the customer strategy, or sometimes they are not really aware of what kind
[11:32.730 --> 11:39.550]  of communication channels they have. But what we need to remember through here,
[11:40.130 --> 11:46.430]  our SCADA architecture is distributed as a server role, and it's like an IT application and
[11:46.930 --> 11:54.630]  it has integration with the business side. And also, it talks to the substation through our
[11:54.630 --> 12:01.650]  communication media. So, I will leave the comments to Serkan about substation, because he's
[12:01.650 --> 12:08.410]  lost. We have talked about the substation architecture. In the substation architecture
[12:08.410 --> 12:15.530]  distribution process, we have some main devices for the process we use.
[12:15.530 --> 12:25.670]  The first one is RETU. RETU is a telecontroller which connects field devices to SCADA systems.
[12:25.670 --> 12:34.370]  RETU is a data concentrator for data transfer devices. Energy analyzer is an energy meter
[12:34.370 --> 12:42.870]  which gets information from the CT and VT transformer from electric sites information
[12:43.470 --> 12:51.370]  and translates in the digital sites and directly sends this information to SCADA systems.
[12:51.370 --> 12:57.570]  Protection relay is a critical equipment in the distribution and also transmission and also
[12:58.170 --> 13:05.310]  generation, as you know that. Protection relay is the first IED device, first electronic device
[13:05.310 --> 13:13.970]  connected physical electric system. It is a bridge, cyber and physical world. The reason
[13:13.970 --> 13:20.010]  of that protection relay is the most critical part and most critical device in the distribution
[13:20.010 --> 13:26.890]  systems. As in cyber security perspective, if you want to shut down the electricity,
[13:26.890 --> 13:34.270]  you have to control the protection relay. But maybe you can attack the RETU, maybe attack
[13:34.270 --> 13:42.070]  the SCADA systems. It has just blocked our monitoring from the field sites. But if we
[13:42.070 --> 13:48.470]  want to control electricity, shut down electricity or re-energize the electricity, you have to
[13:48.470 --> 13:54.550]  control protection relay. The fourth device is the smart meter. Smart meter, as you know,
[13:54.550 --> 14:00.310]  that's for billing purposes and maybe low-voltage site for customer sites,
[14:00.310 --> 14:09.750]  shut down electricity or re-energize electricity. This last two devices is physical device.
[14:09.750 --> 14:16.530]  The first one is low-voltage circuit breaker. It is controlled electricity line.
[14:17.430 --> 14:22.930]  And the last one is the medium-voltage cubicles. It means circuit breaker also
[14:22.930 --> 14:31.670]  inside these cubicles. It controls the electricity line networks. Next slide, please.
[14:32.330 --> 14:34.270]  I think... Yeah.
[14:34.270 --> 14:43.170]  Yes. Yes, we have line IAD device, protection line device. This is... I would like to say
[14:43.170 --> 14:52.190]  it again because it is very critical. Protection device has two parts. One of the hardware,
[14:52.190 --> 14:59.290]  otherwise the software. The hardware side, they have unlock input, unlock output, digital input,
[14:59.290 --> 15:05.990]  digital output, and the other server Ethernet interface. Voltage and current information
[15:06.930 --> 15:15.010]  takes with unlock input modules and also control unlock system like set points, power,
[15:15.010 --> 15:20.690]  like set about the frequency, let's set about the voltage. You have to send unlock output.
[15:20.970 --> 15:25.370]  And digital input and digital output is mostly critical because digital input comes from
[15:25.370 --> 15:30.890]  basically circuit breaker position, isolated position, the other information about the
[15:30.890 --> 15:37.610]  systems. And digital output is control the circuit breakers, means that you control the
[15:37.610 --> 15:42.370]  electricity. Because of that, in the SCADA systems and most of the communication protocols
[15:42.370 --> 15:48.570]  or animal detection or cybersecurity perspective, we focus on the digital output signal.
[15:49.390 --> 15:54.750]  In the beginning of this device, they have serial interface because in that time,
[15:54.750 --> 16:02.430]  Ethernet IP world. And today's most of device has Ethernet interface and it gains
[16:03.310 --> 16:11.990]  advantage of the Ethernet IP world. But it is some cause of the side effect from cybersecurity,
[16:11.990 --> 16:24.730]  this gains of advantages. I will tell about later. On the software side, communication protocols,
[16:24.730 --> 16:36.550]  protocols like ISP104, DNP3, the other. This helps communicate with R2 or communicate with
[16:36.550 --> 16:43.550]  the SCADA systems to send information to the upper level. Logic functions control like circuit
[16:43.550 --> 16:51.110]  breaker or other blocking material functions, logic functions, and configuration interface.
[16:51.110 --> 16:56.590]  Critical part of the IoT device, as I mentioned, they have Ethernet interface.
[16:56.670 --> 17:02.950]  Most of IoT device nowadays use web service interface for configuration
[17:03.830 --> 17:08.210]  software or configuration interface. This is some vulnerability about
[17:10.210 --> 17:14.530]  systems as the weak point of this IoT device nowadays.
[17:14.530 --> 17:23.390]  Thank you, Serkan. Actually, we always get afraid or get freak about touch such intelligent
[17:23.390 --> 17:28.550]  electronic devices because as you mentioned, one part is physical that controls electricity and
[17:28.550 --> 17:38.270]  one part is cyber. It's R2 or SCADA applications and it's like a last line of the physical and
[17:38.270 --> 17:45.910]  cyber breach. Once you control it, you control the electricity, you can control it through the
[17:45.910 --> 17:52.650]  R2 or you can directly send commands to the IAD or you can trigger some SCADA application
[17:52.650 --> 17:57.570]  set points and it will directly affect the intelligent electronic devices. But
[17:57.570 --> 18:03.990]  once you're planning a red teaming or pen testing activity, you need to be aware of
[18:05.130 --> 18:12.810]  such devices can affect the electricity and you need to be really careful what you're playing with.
[18:13.910 --> 18:21.380]  All right, so now we can discuss about red teaming approach and red teaming scenarios.
[18:23.090 --> 18:32.870]  Before jumping into the details, I want to discuss how much red is that because since
[18:32.870 --> 18:38.450]  it's a critical infrastructure, since it's a last line of the custom touch,
[18:38.450 --> 18:45.830]  can we be really free to be really red teaming? In that case, most of the asset owners and most
[18:45.830 --> 18:54.930]  of the cybersecurity companies get afraid to or avoid the consequences of bad thing happens. So
[18:54.930 --> 19:03.890]  I may say that nobody does direct red teaming, maybe it's like light pink teaming, let's say,
[19:03.890 --> 19:09.430]  because we really need to be aware of that the public safety and process safety is much more
[19:09.430 --> 19:18.690]  important than your color activity. So you need to take care of the process, you need to take care
[19:18.690 --> 19:24.770]  of the public safety because we always think in that way if we shut down electricity for the
[19:24.770 --> 19:32.130]  hospital and if we kill someone in that hospital because of no electricity. So it really has a
[19:32.130 --> 19:38.370]  great boundary for us to do our test or pen testing activities or red teaming activities
[19:38.470 --> 19:45.790]  in a controlled way. So it's not really red, light pink maybe, but to understand each other
[19:45.790 --> 19:51.670]  in a better way, I want to express that part as well. So I would like to mention about the
[19:51.670 --> 19:58.810]  core steps. We divide into five main steps. Actually, we discussed about the first two of them
[19:59.490 --> 20:05.270]  to understand the process, understand the architecture. Once you do any red teaming
[20:05.270 --> 20:11.390]  activity in any kind of ICS infrastructure, in that case, we are talking about the power
[20:11.390 --> 20:16.310]  distribution. We gave brief information about the electricity architecture, distribution
[20:16.310 --> 20:25.010]  architecture, scale architecture, and substation architecture. And we thought that the power
[20:25.010 --> 20:31.330]  distribution company's process is not too much complicated. We have very limited type of signals
[20:31.330 --> 20:38.230]  compared to power plants and petrochemicals. So it's a really easy process. It's easy to attack
[20:38.230 --> 20:45.090]  and easy to defend. Now we need to define our landscape and then we will try to create some
[20:45.090 --> 20:54.650]  kind of scenarios to directly develop for red teaming activity usage. And then finally,
[20:54.650 --> 21:01.530]  we will perform some kind of attacks in our simulation lab. I don't want to talk about
[21:01.530 --> 21:08.990]  the IT-based or getting into the IT and then jumping into OT kind of red teaming activities
[21:08.990 --> 21:15.510]  or landscape. But once you are talking about the power distribution red teaming,
[21:15.510 --> 21:21.510]  we wanted to give you brief landscape information that what you need to know,
[21:21.510 --> 21:27.970]  what you are going to face, and how it will affect your planning. So basically, we have
[21:27.970 --> 21:33.130]  eight categories that we will discuss today. The first one is protocols. There are different types
[21:33.130 --> 21:39.430]  of protocols you will see in the field in the distribution companies. Basically, in scale apart,
[21:39.430 --> 21:45.650]  I mean the wide area network, you will see ISC-104 and DMP3. And substation level, you will
[21:45.650 --> 21:53.170]  see different types of protocols, sometimes goes MMS and so on. And upper level, in supervisory
[21:53.170 --> 22:00.810]  level, you will see soft bus and the control level, you will see Modbus, TCPR2, even sometimes
[22:00.810 --> 22:06.890]  Serif protocol. And then if you have smart meters and even in SCADA application, you may have the
[22:06.890 --> 22:12.930]  power line communication. It's not, it's still PLC, but it's a different term. We will discuss
[22:12.930 --> 22:18.650]  it today as well. And then we said that communication media is very important. If you
[22:18.650 --> 22:26.430]  get into the communication media somehow, let's say you get into the APN network based on GSM or
[22:26.430 --> 22:35.410]  you get into the RF signals, you then directly interact with substations, interact with RTUs
[22:35.410 --> 22:40.550]  and interact with control center equipments and emergency control center equipments. So
[22:40.550 --> 22:47.990]  communication media is also too much important for us to rectify in planning. On the other hand,
[22:47.990 --> 22:54.090]  you need to be aware of the third part integration. There are different types of integration. It
[22:54.090 --> 23:01.370]  depends on the country and region and the regulation. You see some of them in our list.
[23:01.370 --> 23:08.330]  And also as a asset owner, you have some kind of remote locations or local locations like control
[23:08.330 --> 23:13.130]  center, energy control center, material control center, headquarters, payment offices, or
[23:13.130 --> 23:22.530]  communication center for like RF towers. So asset owner locations also matter to us.
[23:23.090 --> 23:30.190]  On the other hand, substation is very important for us because it is remote located and physical
[23:30.190 --> 23:37.610]  and cyber control is very limited compared to control center or emergency control center or
[23:37.610 --> 23:43.330]  headquarters. In that case, you will be facing industry protocols on industrial devices
[23:43.330 --> 23:50.390]  and you may apply some kind of hooping attacks. What I mean by that, once you get into the
[23:50.970 --> 23:57.550]  specific remote substation, you can jump over the other substation, you can jump over the
[23:57.550 --> 24:04.150]  control center or emergency control center, you may create some fake signals. It's like coming
[24:04.150 --> 24:10.990]  from the old remote substation and so on. So it's a very great entry point and great
[24:12.710 --> 24:19.570]  defense point for us. But I should stress out that in substation, we have some physical
[24:19.570 --> 24:24.550]  controls. For example, if someone opens the door or if someone opens the cabinet, if someone
[24:25.190 --> 24:31.330]  moving in the substation, it creates some alerts and sends signals over the 104 to the control
[24:31.330 --> 24:38.190]  center. So we still have some type of controls that we need to be aware of when we plan SOC
[24:38.190 --> 24:42.830]  activities or when we plan red teaming activities. On the other hand, technology,
[24:43.490 --> 24:50.290]  I'm sure that all the villagers have a proper knowledge of them. I don't want to express each
[24:50.290 --> 24:57.030]  of them because it's like the IT-wise pan testing or red teaming because it's server, network devices
[24:57.030 --> 25:03.050]  and some kind of field devices. So I don't want to go each of them.
[25:03.050 --> 25:07.070]  And on the other hand, we have people, for example, in Turkey, we have a specific regulation
[25:07.070 --> 25:13.490]  for assessment in the power generation and distribution companies and it requires social
[25:13.490 --> 25:21.450]  engineering activities for the energy people, let's say the asset owner people. Sometimes we
[25:21.450 --> 25:27.810]  see that some red teaming activities hit the vendor engineers or OT partner or engineering
[25:27.810 --> 25:41.310]  company engineers. So people's segment is also really varied and different types of mechanisms
[25:41.310 --> 25:46.270]  they have. For example, in Turkey, we need to do physical pan testing, we need to do
[25:46.990 --> 25:55.150]  phone calling, we need to do email-based social engineering. It's all written down by the
[25:55.150 --> 26:01.850]  regulation. And also yet another landscape for us, the industrial process, and we will discuss it yet
[26:01.850 --> 26:09.490]  in another conference because since it is the less signals and it's less complicated in the
[26:09.490 --> 26:16.970]  power distribution and power industry, the industrial process vulnerabilities may affect
[26:16.970 --> 26:28.090]  public safety directly. So we avoid to mention the entry points of process vulnerabilities,
[26:28.090 --> 26:35.250]  but we can discuss it later for another industries on the following days.
[26:35.250 --> 26:42.470]  All right, so I hope we understood the process, we understood the architecture, and defined some
[26:42.470 --> 26:50.110]  kind of landscape. Again, it may change the region, country, and regulation, but we need to understand
[26:51.010 --> 26:57.930]  the basics of a distribution. So we need to create some kind of scenarios. In this presentation,
[26:57.930 --> 27:06.370]  we created three types of scenarios. We have created a specific table for that. I will discuss
[27:06.370 --> 27:15.630]  it through them. And it's again not IT-based red teaming or pan testing. We try to create some kind
[27:15.630 --> 27:27.610]  of direct effect on electricity-based scenarios. So in the scenario, we have a chance to work with
[27:27.610 --> 27:33.730]  IoT team leader and hardware security leader with Fatih Kayran. Actually, he developed this
[27:33.730 --> 27:38.570]  scenario and applied it in the field. Once upon a time, we were in the distribution company
[27:39.210 --> 27:45.550]  and came up with the idea that we figured out somehow the smart meters were controlling the
[27:47.930 --> 27:57.530]  city's electricity, which means if we could find a way to send a proper comment to smart meters,
[27:57.610 --> 28:03.770]  it will directly shut down the electricity. In that case, the smart meters were talking through
[28:03.770 --> 28:10.570]  the power line communication. And so we created our scenario based on this. So to understand
[28:10.570 --> 28:17.470]  the team mates to each other in a better way, we create such a table to define our success
[28:17.470 --> 28:24.350]  criterias, difficulty factors, and decide if key change is required or not. I will walk through
[28:24.350 --> 28:31.910]  the one table and I will pass through the rest of it because we will perform a real-time simulation
[28:31.910 --> 28:40.410]  for the rest of it. In this scenario, we targeted the shutdown electricity. But before jumping into
[28:40.410 --> 28:48.450]  that, we classified our tactics and techniques based on MITRE, manipulation of control and
[28:48.450 --> 28:54.270]  manipulation of weave. And our entry point was smart meters power line communication.
[28:54.330 --> 29:02.750]  Complexity in this scenario was high. Difficulty was high because unknown protocols were there,
[29:02.750 --> 29:08.330]  specific hardware design is required, and high-voltage work environment can be dangerous
[29:08.950 --> 29:15.630]  because we lost one of our laptops and one of our team members got injured during this test
[29:15.630 --> 29:20.170]  because we worked with the high voltage directly with the plugs.
[29:20.850 --> 29:26.550]  To better understanding, you plug the smart meter into the
[29:28.190 --> 29:37.550]  city network. So you turn into that specific smart meter into weapon to target the electricity.
[29:37.830 --> 29:43.810]  For a better understanding, I will discuss it through this presentation. So dependency was
[29:43.810 --> 29:49.130]  communication interface reverse engineering or protocol reverse engineering. Required time was
[29:49.130 --> 29:56.010]  high for us. And also, what was our success criteria? Understand the protocol, send and
[29:56.010 --> 30:03.530]  receive packets on the power line, send command to cut off the electricity for a defined area.
[30:04.350 --> 30:12.190]  Sometimes we create some SOC success criteria for our customers to detect better the next attacks.
[30:12.190 --> 30:17.930]  In that case, it could be hardware or smart meter log management, OMS log management,
[30:17.930 --> 30:21.710]  call center log management, or smart meter application log management could be a success
[30:21.710 --> 30:28.990]  criteria in that case. We define log sources for red teaming activities, and then we define a
[30:28.990 --> 30:35.170]  purpose, method, and kill chain activity. In that case, our proposal was to shut down the electricity
[30:36.010 --> 30:43.730]  unexpected point of entry through unexpected communication media, turn plug-in meters into
[30:43.730 --> 30:52.890]  industrial attack equipment. So our idea was simple. So power line communication works through
[30:52.890 --> 31:02.630]  the power signals. You modulate it and put your data into the electricity signals. So it directly
[31:03.270 --> 31:11.330]  talks through the electricity. I think yesterday, there was a specific session about that.
[31:11.330 --> 31:18.610]  In that case, we will look into how it's used in distribution companies. In that case,
[31:18.610 --> 31:23.090]  we have the pack concentrator, which is directly connected to different types of customers,
[31:23.090 --> 31:28.590]  almost lightning, and there are smart meters, and there are some power line communication
[31:29.270 --> 31:34.930]  interfaces, and it connects to the backend system through the APN, in that case,
[31:34.930 --> 31:41.310]  over the internet. So guess what? It was the broadcast messages going through the specific
[31:41.310 --> 31:48.750]  power line. If you have specific hardware, you can develop it, or you can turn smart meter into
[31:48.750 --> 31:57.590]  your tool. In that case, we made it, and we were able to understand the reading data,
[31:57.590 --> 32:03.830]  and they shut down the electricity commons. So since it's broadcast, each of smart meters get
[32:03.830 --> 32:11.270]  the data, and once you give order, everyone gets the order, but one of them apply it and report
[32:11.270 --> 32:20.550]  back to center. So once you sniff the data, you see the smart meter ID, and in that case,
[32:20.550 --> 32:29.210]  power line communication, we're using a DLSM-QSAM protocol. In that case, that specific number
[32:29.210 --> 32:35.730]  defines the shutdown electricity command, like the double command in 104, very similar.
[32:36.070 --> 32:44.250]  And also, in that case, we were able to get readout data. In this case, this is the readout
[32:44.250 --> 32:55.150]  for DLSM-QSAM protocol. What we are trying to say is that you don't directly attack the SCADA
[32:55.150 --> 33:06.310]  application, RTUs, or IEDs. The best way, and easy way, is to find yet another proper line
[33:06.830 --> 33:13.650]  to end of your goal. So in that case, the power line communication and smart meters
[33:16.150 --> 33:23.270]  gave us a chance to shut down the electricity, but you need to deal with high voltage electricity,
[33:23.270 --> 33:28.990]  you need to deal with power line communication, new type of protocols, modulation, demodulation,
[33:28.990 --> 33:36.730]  encryption, type of things require much more time. But most of the time, the asset owners and
[33:36.730 --> 33:44.250]  the pen tester doesn't pay attention on the deck channel. So you really create a volume for your
[33:44.250 --> 33:53.210]  customer and people safety in that case. So as I know, the European countries also have great
[33:53.210 --> 34:00.010]  implementation of smart meters. We need to take care of these standards as well.
[34:04.160 --> 34:12.060]  So our last two scenarios, based on the RTUs and industrial protocols,
[34:12.060 --> 34:19.040]  we will show how to do industrial red teaming in a real lab environment, which took days for
[34:19.040 --> 34:28.160]  Serkan and got old during these sessions. Basically, we have two different scenarios
[34:28.660 --> 34:36.040]  for this presentation. One of them, extracting data from config files without further reverse
[34:36.040 --> 34:42.140]  engineering or further implementation of anything. The thing about that, you have some type of
[34:42.140 --> 34:48.980]  configuration files, you don't have any access to OT environment or substation yet, but you will
[34:48.980 --> 34:57.360]  figure out some type of data to plan your next session of red teaming activities. We have a
[34:57.360 --> 35:06.380]  specific example of that. Since I discussed deeply and very detailed the last table, I don't want to
[35:06.380 --> 35:12.760]  discuss it, losing any time on that. So I will jump into the next one, because we will discuss
[35:12.760 --> 35:20.220]  real scenario. Yet another scenario for this session is the remote substation protocol attack.
[35:20.720 --> 35:27.600]  In that case, the attacker needs to interact with the substation equipments. It can be done
[35:27.600 --> 35:33.940]  via Raspberry Pi implementation and connect through the Wi-Fi and so on, like we did in our
[35:34.560 --> 35:41.060]  lab environment. And we will shut down the electricity using the protocol
[35:41.760 --> 35:48.420]  commands. Once we understand what kind of protocols used and how, once we understand the
[35:48.420 --> 35:55.300]  protocols, we will figure out where to send the data and finally send the data to shut down the
[35:55.300 --> 36:03.540]  electricity. To have better understanding each other, what we are trying to say,
[36:04.540 --> 36:11.040]  if you are planning to red teaming activity in a power distribution company or assessment,
[36:11.500 --> 36:17.300]  you need to understand the process, you need to understand the architecture, you need to
[36:17.300 --> 36:22.740]  understand the landscape. Once you have a tree element, then you can create your scenarios.
[36:22.740 --> 36:31.520]  You need to think out of the box, but that box doesn't mean you can go out public safety rules
[36:31.520 --> 36:36.700]  or process safety rules. So it's really hard to balance.
[36:37.260 --> 36:46.900]  And we want to give you some simple ideas to reach out your end goal,
[36:47.380 --> 36:53.260]  rather than implementing some IT-based or IT-related red teaming activities.
[36:54.660 --> 37:04.180]  I think I can be free from now and put the second into fire.
[37:05.020 --> 37:12.200]  As a tradition, we are face to face with the Murphy's rule.
[37:12.220 --> 37:21.220]  But finally, we succeed on the setup a lab. Now I have new information about lab setup.
[37:21.220 --> 37:30.680]  It's a very simple part of substation process. We have one RTOS, ABB 140,
[37:31.960 --> 37:41.260]  and one IAD device, one SCADA server, SCADA PCs, and also one switch.
[37:41.260 --> 37:50.120]  We use CapWare software as a SCADA master. And also we use Modbus-TC protocol and also
[37:50.120 --> 38:03.240]  ISU-104 protocol. Modbus-TCP used in IAD device between R2 and ISU-104. We use it R2 between
[38:03.240 --> 38:12.560]  SCADA and CapWare device. The tricky part is the implemented hardware substation as an attacker.
[38:12.560 --> 38:19.360]  We think that we have some Raspberry Pi device or the other device as attacker machine.
[38:21.440 --> 38:28.100]  Now, before jumping into details, I would like to mention that this setup doesn't indicate
[38:28.100 --> 38:35.400]  any one of these on ABB RTOS. It's just a simple RTOS that we could use on the market,
[38:35.400 --> 38:42.460]  and we knew how to configure it. So we will do some protocol-based simulation,
[38:42.460 --> 38:48.100]  but it doesn't just affect the ABB. It's based on the leverage of the protocol usage,
[38:48.100 --> 38:52.480]  to avoid any misunderstanding. And also it is a very common
[38:53.240 --> 39:00.900]  RTOS used in Europe and Asian sites. And also this is the second reason we chose this RTOS.
[39:00.940 --> 39:10.420]  Now we can jump into the labs video. All right, so we will start with interfaces and signals.
[39:11.640 --> 39:19.710]  Well, first we do this about configuration RTU. I'll jump into that, just a second.
[39:22.440 --> 39:30.660]  Yes, we use RTU 500 software for programming RTU, configuration RTU.
[39:38.690 --> 39:45.650]  We created it before and open existing projects. This part a little bit takes time.
[39:45.650 --> 39:56.330]  It may be boring. They hide the project file deep inside my file system.
[39:58.530 --> 40:10.250]  Yes, a Turkish character error. Now, this is the RTU 500 software interface. This is the network
[40:10.250 --> 40:17.910]  tree. We have three communication lines. One is IEC 1 and 4 for SCADA communication. The other
[40:17.910 --> 40:25.650]  one is Modbus TCP for IED device, Modbus communication line. You can easily see that
[40:25.650 --> 40:34.610]  some parameter of the communication protocol. Yes, it is the 1 and 4 communication protocol setup.
[40:37.130 --> 40:44.390]  As you see, that's us-to-address, us-to-address structure, informal structure, maximum length of
[40:44.390 --> 40:53.410]  IDLE. And then, this is the Modbus TCP site configuration.
[40:58.760 --> 41:07.880]  This is network tree. Now, we are in hardware tree. In the hardware site, we choose our RTU
[41:08.420 --> 41:16.140]  main CPU model. And also, we add the field level signal information in that site, hardware site.
[41:16.140 --> 41:23.060]  And also, as you see, that the Modbus TCP communication configuration zone.
[41:23.600 --> 41:27.040]  This is the IP address of the IED device.
[41:28.320 --> 41:41.190]  And also, again, 104 configuration section. Now, this is the RTU interfaces.
[41:42.270 --> 41:49.470]  It has two Ethernet interfaces. As you see, that's IP address of the interfaces.
[41:54.300 --> 42:01.060]  And this site, we configured our field level signal, like active power. That is the Modbus
[42:01.060 --> 42:09.660]  site, withholding register, index number 13. And this is the SCADA ISC 104 site, us-to-address 1,
[42:09.660 --> 42:18.960]  information object address 103. And the other signals, like phase A current, phase B current.
[42:19.540 --> 42:24.680]  We record all and show the all parameters of the signal.
[42:31.960 --> 42:40.700]  And maybe you want to replay your own lab. So, we wanted to give you brief info in this section.
[42:40.700 --> 42:48.280]  The other sections will be much more faster, let's say. But once you understand that part,
[42:48.280 --> 42:54.960]  configuration, it's much more easier to understand the rest of the simulation.
[42:55.080 --> 42:58.580]  This is the type of the Modbus signal. As you see, that's force
[42:59.540 --> 43:05.720]  commands, signal commands, and register read-call status. Read-call status is used for the
[43:05.720 --> 43:11.560]  information, single point information, digital inputs, like position of the circuit breaker.
[43:12.960 --> 43:17.580]  And switch control means that sends control command to the circuit breaker.
[43:18.280 --> 43:25.120]  Power limit set points, and the other mid-range information, phase A current,
[43:25.120 --> 43:31.980]  phase B current, phase C current. It's a very simple model of the substation.
[43:36.260 --> 43:39.880]  So, we can jump into the second report.
[43:39.880 --> 43:41.860]  Second report.
[43:44.360 --> 43:53.340]  In this report, we directly connect the radio web interfaces. As you see, this is the IP address of
[43:53.340 --> 44:03.460]  the first Ethernet interface. Use username and passport. In that site, you can easily see that
[44:03.460 --> 44:08.700]  configuration management site. You'll see that the configuration file, which configuration is now
[44:08.700 --> 44:17.360]  active, when you update this configuration file, and also get configuration file from the device,
[44:17.360 --> 44:23.200]  and also delete this configuration, etc. And also, directly on site, you can easily monitor
[44:23.200 --> 44:28.320]  signal system log, system event status, and client session log, and also hardware tree.
[44:28.320 --> 44:38.100]  Hardware tree is the live monitoring about R2, especially in the site, you see that R2 is active,
[44:38.100 --> 44:46.800]  R2 is operable, means that it's connected to a device. As you see, that CPI switch position is on,
[44:46.800 --> 44:51.960]  and also metering information about systems.
[44:54.140 --> 44:57.460]  It is live data, real-time data.
[45:01.060 --> 45:07.940]  Now, I can talk about a little bit configuration file, if you wish. Our third video related the
[45:07.940 --> 45:14.620]  configuration file and extracting some data. Again, it doesn't indicate any vulnerabilities
[45:14.620 --> 45:21.080]  on the R2, but somehow, if you reach out to backup systems, or if you reach out the file
[45:21.080 --> 45:27.880]  server in the IT system, once we have a configuration file, now we will download it
[45:27.880 --> 45:35.640]  and extract some data from it. It's really easy, actually, before furthering reverse engineering
[45:36.250 --> 45:43.420]  implementation. In that case, we are not into the remote substation, we are not in the control room.
[45:43.420 --> 45:49.180]  Somehow, we get data about the configuration file. It can be an engineering workstation,
[45:49.180 --> 45:56.750]  file server again, or a backup system, maybe an engineering partner workstation.
[45:57.100 --> 46:03.680]  Once I get the configuration file, I am directly able to see what kind of R2 is used,
[46:03.680 --> 46:11.040]  what version, what purpose they are using, what kind of interfaces, and what kind of IP addresses
[46:11.900 --> 46:20.720]  they have. And also, what kind of protocols they have. It will affect my further planning,
[46:20.720 --> 46:27.540]  actually, in the red teaming activity. What kind of devices connected to that R2 in substation,
[46:27.540 --> 46:35.060]  and what kind of signal parameters they are looking for it. So once I have that information
[46:35.060 --> 46:43.620]  without any probing, any scanning activity, or any physical attachment, it's really leverage
[46:43.620 --> 46:52.660]  of your effort once you have that kind of specific knowledge. We have also some specific
[46:52.660 --> 47:02.200]  projects that the worst engineering read all the data, not people readable format at the moment,
[47:02.200 --> 47:12.600]  you have much more better information and knowledge about the targeted system. So in that case,
[47:12.600 --> 47:19.740]  we want to show you, you don't need to go to the control center or remote substation. Somehow,
[47:19.740 --> 47:27.680]  if you are able to get config files, you may read directly with the Notepad++ and read some data,
[47:27.680 --> 47:33.480]  understand the process, understand the protocols, interfaces, and plan a better red teaming activity
[47:33.480 --> 47:41.540]  or targeted attack into the targeted system. So I will jump into your part, Serkan.
[47:42.100 --> 47:48.760]  Yes, the fourth video is about the normal traditional application and communication
[47:48.760 --> 47:57.820]  with SCADA systems and RETU. First of all, I will show to my IP address and same subnets with the
[47:57.820 --> 48:07.810]  R2 interface one. And then we use, said before, CAPS server as a SCADA software, SCADA master
[48:07.810 --> 48:15.570]  program. This is the configuration of the master site, CAPS player site, CAPS server site
[48:15.570 --> 48:23.370]  configuration file. As you see that communication address, common address,
[48:29.160 --> 48:36.560]  advanced settings, network interface, as we have same subnets, same IP address,
[48:36.560 --> 48:45.140]  more advanced parameters for IEC 1 and 4, originator address, like, and also network
[48:45.140 --> 48:52.920]  interface. Network interface means that this is the IP of the RETU and the port of the IEC 1 over 4.
[48:56.420 --> 49:06.000]  And this site, we also configure our signal. This means that it is analog short float volume.
[49:08.640 --> 49:17.900]  Australia is 1 over 3. So it is the breaker control commands, single commands means.
[49:21.840 --> 49:28.860]  Actually, it will directly affect the open and close breakers. Later then we will apply some
[49:28.860 --> 49:34.040]  scenarios. It's really important to understand what type of parameter and what type of
[49:34.040 --> 49:40.080]  commands they take. Now we connected to RETU. As you see that this is the real-time data.
[49:40.420 --> 49:47.880]  As you see, active power 2400. And also breaker control is zero. Breaker position is one,
[49:47.880 --> 49:55.700]  means that the closed. Now we sent the breaker control. Control command is one.
[49:57.320 --> 50:02.120]  Yes, it takes the commands. In the real-time and real-time operation,
[50:02.120 --> 50:08.880]  when we send this command, we re-energize that circuit breaker or shut down the circuit breaker
[50:08.880 --> 50:25.660]  with this command. All right. Now, and also I would like to show some wire shack
[50:26.780 --> 50:31.220]  traffics between CAPWARE and RETU.
[50:32.740 --> 50:39.560]  This is the Ethernet. We apply our display filter for IS104.
[50:46.700 --> 50:51.000]  Yes, as you see that this is a test frame in the protocol.
[50:52.020 --> 50:57.860]  Now we re-send the command again and show the traffic.
[51:01.360 --> 51:06.360]  Yes, this is commands, single command.
[51:08.580 --> 51:17.060]  Astro address 107. As you see that this is the wire shack single command.
[51:18.760 --> 51:27.520]  Address is one. IO address is 107. And also set commands value is zero. As you see,
[51:27.520 --> 51:35.360]  you can easily get this information from the wire shack because the IS104 is an open-text protocol,
[51:35.360 --> 51:42.140]  not encrypted or hashing protocol. You can easily get information from the traffic.
[51:43.380 --> 51:51.860]  In that case, you see that the single or double commands take place in IS104. In that case,
[51:51.860 --> 52:01.320]  we send a specific shutdown or open command in a targeted area. In case it was zero, it means
[52:01.320 --> 52:09.680]  we shut down the electricity through a legitimate traffic. I mean, it was a traffic generated by the
[52:09.680 --> 52:17.900]  control center. Now we will try to apply as an attacker point of view who is in the remote
[52:17.900 --> 52:26.580]  substation via implemented hardware. This is the fifth video of us.
[52:27.960 --> 52:37.480]  Yes, we have information about the second interface, about R2. Now in the attacker machine,
[52:37.960 --> 52:43.940]  I configure my IP address for the second interface of the R2, as you see.
[52:44.320 --> 52:47.220]  Okay, now
[52:49.760 --> 52:58.740]  I use mmap for some research on some search vulnerability or open ports.
[53:00.420 --> 53:07.320]  In that case, we are looking for who has an IS104. In that case, in that protocol,
[53:07.320 --> 53:13.680]  use specific ports if nobody changes it. So we are looking for the same subnet
[53:14.260 --> 53:22.620]  if someone has that specific protocol. Please be aware it's an attacker point of view and
[53:22.620 --> 53:31.780]  got into the substation looking for some IS104 endpoints and two devices. We found it. This is
[53:32.320 --> 53:42.080]  retail device as you see from the IP address and also IS104 is open port and also services up.
[53:44.700 --> 53:51.260]  But now we have only information about R2's protocols and R2's IP address, but we don't
[53:51.260 --> 53:59.640]  have any information about the signal and signal address. Now we use CAPWARE again. We
[54:01.420 --> 54:21.870]  configure CAPWARE again, as you see. We tried it once. Now it's connected to R2.
[54:22.930 --> 54:31.710]  Now in the protocol structure, we have general integration commands. When we send this command,
[54:31.710 --> 54:39.090]  R2 gets a response and sends all information about in this R2 insight.
[54:40.730 --> 54:46.470]  We send GI commands to the retail. I don't know any information about the object address, but
[54:46.470 --> 54:53.910]  when we send this command, R2 responds to this command and now we can easily observe which
[54:54.690 --> 55:00.430]  address and which type of information inside of it. As you see that
[55:00.430 --> 55:14.290]  address is 1, IO address is 100 and value is also, as you see, 332, etc, etc.
[55:16.290 --> 55:24.810]  So basically protocol gives an opportunity to us to pull all kind of signals and data from the R2
[55:24.810 --> 55:30.530]  for a specific protocol line. As an attacker, we use the exact same
[55:32.050 --> 55:37.990]  tool, but it's a simulation environment. Again, you can use your lab environment,
[55:37.990 --> 55:44.330]  that specific tool. Yet another tool we have, it's developed by, I think, the master degree
[55:44.330 --> 55:54.510]  student in Germany. It's called ISE test. And to make sure all of you, we will send the latest
[55:54.510 --> 56:03.170]  command to that specific tool. Next, again, R2. Now we send command again.
[56:03.650 --> 56:13.770]  Get information from traffic and also we send commands to 107. As you see from Wireshark
[56:13.770 --> 56:26.680]  traffic, we send commands and also on of on commands. And also as you, from traffic, it is
[56:26.680 --> 56:42.140]  action confirmation from the R2 in number of line 18 and 37. GCSCNA at confirmation. As you see,
[56:42.140 --> 56:45.040]  this means that R2 accepts this command.
[56:48.260 --> 56:55.140]  Once you get into the substation, you pull data through the protocol and you send the command
[56:55.140 --> 57:00.900]  through the protocol again. In that case, single command or double command supported by the 104.
[57:01.140 --> 57:09.440]  And then you are able to shut down the electricity. In that case, if it's your end goal,
[57:09.440 --> 57:15.480]  you may apply very different type of scenarios and red teaming activities, but we want to show
[57:15.480 --> 57:21.780]  you that it can be done. There are some safety mechanisms or configuration mechanisms to avoid
[57:21.780 --> 57:27.080]  it. Sometimes you implement the IP based solution or animal detection solution to
[57:27.080 --> 57:34.460]  count that kind of activities. So in this session, we are end of our presentation with takeaways.
[57:34.460 --> 57:40.420]  We would like to stress out during red teaming activity, we need to think out of the box,
[57:40.420 --> 57:46.340]  but we still need to take care of public and process safety. It's really a rule of thumb
[57:46.340 --> 57:52.500]  for us. Power distribution environment is not complicated as process-wise when compared to
[57:52.500 --> 57:58.740]  power plants or petrochemical, but it has directly affected the other critical infrastructures and
[57:58.740 --> 58:05.300]  customers directly. Power distribution companies have lots of different interdependencies.
[58:05.640 --> 58:09.620]  Therefore, information getters could be a role for red teaming activities.
[58:10.420 --> 58:14.720]  And power distribution companies are easy targets and easy to defend compared to other
[58:14.720 --> 58:24.140]  ICS infrastructure. So we have two minutes left. If you have any questions, please feel free to
[58:24.140 --> 58:33.040]  ask. We will be on Discord as well, as well as we can. So Serkan, if you have any comment,
[58:33.040 --> 58:42.180]  please do it, or we can get to questions. If you have any questions, we will be in Discord.
[58:43.220 --> 58:46.980]  We will be happy to answer your questions.
[58:48.380 --> 58:54.980]  John and Serkan, thank you for your talk. I noted in the Discord speaker Q&A that I consider
[58:54.980 --> 59:00.940]  this a mandatory talk to watch for both learning about 101 and assessments. So I really, really
[59:00.940 --> 59:08.600]  appreciate y'all dialing in and supporting us. Thank you very much for having us. I hope you enjoyed.
